Skip to main content
Sumo Logic

Collect Logs for Imperva - Incapsula Web Application Firewall

Steps to collect logs from Imperva Incapsula, and to ingest them into Sumo.

Collect Logs for Imperva Incapsula

Set up log integration in Imperva Incapsula

To configure log integration:

  1. Log into your account.

  2. On the sidebar, click Logs > Log Setup.
  3. Connection. Select Amazon S3.
  4. Next, fill in your credentials:
    • Your S3 Access key, Secret key, and Path, where path is the location of the folder where you want to store the logs. Enter the path in the following format: <Amazon S3 bucket name>/<log folder>. For example: MyBucket/MyIncapsulaLogFolder.

    • Click Test connection to perform a full testing cycle in which a test file will be transferred to your designated folder. The test file does not contain real data, and will be removed by Incapsula when the transfer is complete.

  5. Configure the additional options:
    • Format. Select the format for the log files: CEF
    • Compress logs. By default, log files are compressed. Clear this option to keep the logs uncompressed.

For detailed instructions, see here.

Set up in Sumo Logic

  1. Add a Sumo Logic Hosted Collector
  2. Configure AWS S3 Source.

Sample Log Message

CEF:0|Incapsula|SIEMintegration|1|1|Bot Access Control|4| fileId=873000110240153595 siteid=1161087 suid=639571 requestClientApplication=Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2) cs2=false cs2Label=Javascript Support cs3=true cs3Label=CO Support src= cs1=NA cs1Label=Cap Support cs4=7b83f995-690d-400d-bdb1-fba691432625 cs4Label=VID cs5=11ca5e18bca8fe0ca9d8f7cabc6da528f8a02dbf60090897bd67ac19e818f097eaa83b0b619cd66143149644201e210cd181b65c9c4ad96ae43938bb1aeee0a335a9cd871db32aa4fc7b8a9463366cc4 cs5Label=clappsig dproc=Unclassified cs6=Bot cs6Label=clapp ccode=[UA] cs7=50.45 cs7Label=latitude cs8=30.5233 cs8Label=longitude Customer=Ricardo LAB start=1513784780813 requestMethod=GET app=HTTP act=REQ_BLOCKED_SECURITY deviceExternalId=462767908564041914 fileType=915,312,314 filePermission=0,0,0 cs9=Suspicious Bot Traffic,Suspicious Bot Traffic,Suspicious Bot Traffic cs9Label=Rule name

Query Samples

Parse Command for all CEF items in Imperva Incapsula

| parse "fileId=* " as ID nodrop
| parse "src=* " as main_client_ip nodrop
| parse "caIP=* " as additional_client_ip nodrop
| parse "requestClientApplication=* cs2" as user_agent nodrop
| parse "request=* " as URL nodrop
| parse "tag=* " as ref_id nodrop
| parse "ccode=* " as country_code nodrop
| parse "cicode=* " as City nodrop
| parse "ccode=[*] " as country_code nodrop
| parse "app=* " as Protocol nodrop
| parse "deviceExternalId=* " as request_id nodrop
| parse "ref=* " as Referrer nodrop
| parse "requestMethod=* " as Method nodrop
| parse "cn1=* " as http_status_code nodrop
| parse "xff=* " as X_Forwarded_For nodrop
| parse "in=* " as content_length nodrop
| parse "suid=* " as account_id nodrop
| parse "Customer=* " as account_name nodrop
| parse "siteid=* " as site_id nodrop
| parse "sourceServiceName=* " as site_name nodrop
| parse "act=* " as request_result nodrop
| parse "postbody=* " as post_body nodrop
| parse "start=* " as request_start_time nodrop
| parse "sip=* " as server_ip nodrop
| parse "spt=* " as server_port nodrop
| parse "qstr=* " as query_string nodrop
| parse "cs1=* " as captcha_support nodrop
| parse "cs2=* cs2" as js_support nodrop
| parse "cs3=* cs3" as cookies_support nodrop
| parse "cs4=* cs4" as visitor_id nodrop
| parse "cs5=* cs5" as Debug nodrop
| parse "cs6=* cs6" as client_app
| parse "cs7=* cs7" as Latitude nodrop
| parse "cs8=* cs8" as Longitude nodrop
| parse "cs9=* cs9" as rule_name nodrop
| parse "filePermission=* " as attack_id nodrop
| parse "fileType=* " as attack_type nodrop
| parse "dproc=* cs6" as browser_type nodrop

Top attack vectors

| parse "SIEMintegration|1|1|*|" as policy_type
| parse "sourceServiceName=* " as site_name
| count by policy_type
| top 10 policy_type by _count